While many Linux distribution vendor kernels are already using SHA-512 for signing modules by default rather than the default SHA-1, the upstream Linux 6.14 kernel is also now switching the default over to using SHA-512 for better security.
With the latest code merged to the mainline Linux 6.14 Git kernel today, SHA512 is now used as the default rather than SHA1 for signing of kernel modules. SHA512 is more modern and much more secure than SHA1 against attacks with SHA1 weaknesses being well known for many years at this point. Many other software components have already discontinued the use of SHA1. SHA1 signing support remains available within the Linux kernel at this time but no longer the default.
OpenSSL used by some current and future Linux distributions also error out when trying to use SHA1 signatures for kernel modules that in turn can lead to kernel build failures.
It’s a long overdue change for using SHA512 as the upstream default for signing kernel modules and will be part of Linux 6.14 with the code merged today. The SHA512 module signing default was merged today as part of the module changes for this next kernel release.
